-
Notifications
You must be signed in to change notification settings - Fork 0
/
08_csrf_rule.tf
117 lines (92 loc) · 3.41 KB
/
08_csrf_rule.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Regional
####################
## OWASP Top 10 A8
### CSRF token enforcement example
### Enforce the presence of CSRF token in request header
resource "aws_wafregional_byte_match_set" "owasp_08_csrf_method_string_set" {
count = lower(var.target_scope) == "regional" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-match-csrf-method-${random_id.this.0.hex}"
byte_match_tuples {
text_transformation = "LOWERCASE"
target_string = "post"
positional_constraint = "EXACTLY"
field_to_match {
type = "METHOD"
}
}
}
resource "aws_wafregional_size_constraint_set" "owasp_08_csrf_token_size_constrain_set" {
count = lower(var.target_scope) == "regional" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-csrf-token-size-${random_id.this.0.hex}"
size_constraints {
text_transformation = "NONE"
comparison_operator = "EQ"
size = var.csrf_expected_size
field_to_match {
type = "HEADER"
data = var.csrf_expected_header
}
}
}
resource "aws_wafregional_rule" "owasp_08_csrf_rule" {
depends_on = [aws_wafregional_byte_match_set.owasp_08_csrf_method_string_set, aws_wafregional_size_constraint_set.owasp_08_csrf_token_size_constrain_set]
count = lower(var.target_scope) == "regional" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-enforce-csrf-${random_id.this.0.hex}"
metric_name = "${lower(var.waf_prefix)}OWASP08EnforceCSRF${random_id.this.0.hex}"
predicate {
data_id = aws_wafregional_byte_match_set.owasp_08_csrf_method_string_set.0.id
negated = "false"
type = "ByteMatch"
}
predicate {
data_id = aws_wafregional_size_constraint_set.owasp_08_csrf_token_size_constrain_set.0.id
negated = "false"
type = "SizeConstraint"
}
}
# Global
####################
## OWASP Top 10 A8
### CSRF token enforcement example
### Enforce the presence of CSRF token in request header
resource "aws_waf_byte_match_set" "owasp_08_csrf_method_string_set" {
count = lower(var.target_scope) == "global" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-match-csrf-method-${random_id.this.0.hex}"
byte_match_tuples {
text_transformation = "LOWERCASE"
target_string = "post"
positional_constraint = "EXACTLY"
field_to_match {
type = "METHOD"
}
}
}
resource "aws_waf_size_constraint_set" "owasp_08_csrf_token_size_constrain_set" {
count = lower(var.target_scope) == "global" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-csrf-token-size-${random_id.this.0.hex}"
size_constraints {
text_transformation = "NONE"
comparison_operator = "EQ"
size = var.csrf_expected_size
field_to_match {
type = "HEADER"
data = var.csrf_expected_header
}
}
}
resource "aws_waf_rule" "owasp_08_csrf_rule" {
depends_on = [aws_waf_byte_match_set.owasp_08_csrf_method_string_set, aws_waf_size_constraint_set.owasp_08_csrf_token_size_constrain_set]
count = lower(var.target_scope) == "global" ? 1 : 0
name = "${lower(var.waf_prefix)}-owasp-08-enforce-csrf-${random_id.this.0.hex}"
metric_name = "${lower(var.waf_prefix)}OWASP08EnforceCSRF${random_id.this.0.hex}"
predicates {
data_id = aws_waf_byte_match_set.owasp_08_csrf_method_string_set.0.id
negated = "false"
type = "ByteMatch"
}
predicates {
data_id = aws_waf_size_constraint_set.owasp_08_csrf_token_size_constrain_set.0.id
negated = "false"
type = "SizeConstraint"
}
}